From owner-freebsd-ipfw@freebsd.org  Wed Apr 20 10:28:16 2016
Return-Path: <owner-freebsd-ipfw@freebsd.org>
Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 26002B16206
 for <freebsd-ipfw@mailman.ysv.freebsd.org>;
 Wed, 20 Apr 2016 10:28:16 +0000 (UTC)
 (envelope-from rfg@tristatelogic.com)
Received: from outgoing.tristatelogic.com (segfault.tristatelogic.com
 [69.62.255.118]) by mx1.freebsd.org (Postfix) with ESMTP id 019F61CA2
 for <freebsd-ipfw@freebsd.org>; Wed, 20 Apr 2016 10:28:15 +0000 (UTC)
 (envelope-from rfg@tristatelogic.com)
Received: from segfault-nmh-helo.tristatelogic.com (localhost [127.0.0.1])
 by segfault.tristatelogic.com (Postfix) with ESMTP id 983E03ACDA
 for <freebsd-ipfw@freebsd.org>; Wed, 20 Apr 2016 03:21:56 -0700 (PDT)
From: "Ronald F. Guilmette" <rfg@tristatelogic.com>
To: freebsd-ipfw@freebsd.org
Subject: How can I find the bandwidth hogs?
Date: Wed, 20 Apr 2016 03:21:56 -0700
Message-ID: <162.1461147716@server1.tristatelogic.com>
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw/>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
 <mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2016 10:28:16 -0000


I don't have very much inbound bandwidth... only 6MB/sec.  I've noticed,
repeatedly, that when visiting various web sites, even if I'm not
actively doing anything on these sites, _something_ ends up gobbling
up as much as 2/3rds or more of my inbound bandwidth.  I suspect
that this may perhaps be due to some nasty bandwith hogging banner
advertisments associated with the sites I visit.  Or maybe not.
I really don't know.  But I would like to find out which IPs are
the main source of this problem so that I can just simply block
those in my IPFW rules.

So anyway, my question is a simple one:  How can I get ipwf... or
something else... to keep counts of the numbers of bytes received
from a given source port AND also from various source IPs, i.e. over
some period of time, e.g. an hour or a day?

Please understand.  I _do not_ just want ipfw to give me a TOTAL
count of all bytes received, over time, from some particular source
port (e.g. 80, 443).  I already know how to do that simple thing.
Rather, I want ipfw... or some other tool... to give me, at the
end of the test time period... a nice LIST of how many bytes came in
from each and every separate source IP over the given time period.
(There could be hundreds or thousands of IPs sending me packets
with a source port of 80 or 443 over the given time period, so
that list could end up being really long.)

Can anybody give me a hint of how to do this?